Information Security is critical for both the State of RI, it’s agencies, departments, and constituents. As such, State of Rhode Island Division of Information Technology (DoIT), under the direction of the CIO has established an Information Security Office which:
- Directs Information Security service functions of the State including all physical locations and digital systems such as voice, data, wireless networks and other similar technologies and business needs as well as, all technical security staff engaged in performing such activities;
- Is responsible for establishing, developing, implementing, and improving information security systems and functions across the enterprise and within the value state agencies to promote more effective and efficient security administration;
- Establishes reviews and maintains Information Technology and Data Security policies, standards, and guidelines.
- Helps State of RI executive management to understand, prioritize, manage to an acceptable level both current and future security risks.
- Audits and controls security policies and procedures to insure cost-effective use of enterprise information security resources to enable state agencies to carry out their appointed functions;
- Provides information on Emergency Security Alerts, Virus Watch, and Cybercrime & Terrorism and investigates reported or discovered security violations.
- Ensures a consistent level of security, remembering that "security is only as strong as its weakest link."
Information security is becoming a cross-functional discipline that spreads across all the agencies and is based on number of principles.
Information Security Office Principles
The principles for a secure technology environment can be simply described as the protection of three critical attributes -- the confidentiality and integrity of its information as well as the availability of its systems.
- Confidentiality. "Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…" [44 U.S.C., Sec. 3542] A loss of confidentiality is the unauthorized disclosure of information.
Goal: The information requires protection from unauthorized disclosure.
- Integrity. "Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…" [44 U.S.C., Sec. 3542] A loss of integrity is the unauthorized modification or destruction of information.
Goal: The information must be protected from unauthorized, unanticipated, or unintentional modification.
This includes, but is not limited to:
- Authenticity - A third party must be able to verify that the content of a message has not been changed in transit.
- Non-repudiation - The origin or the receipt of a specific message must be verifiable by a third party.
- Accountability - A security goal that generates the requirement for actions of an entity to be traced uniquely to that entity.
"Ensuring timely and reliable access to and use of information…" [44 U.S.C., SEC. 3542] A loss of availability is the disruption of access to or use of information or an information system.
Goal: The Physical Infrastructure and Systems must be available on a timely basis to meet mission requirements or to avoid substantial losses.
DoIT's Security To-Do List
For 2010/2011 Information Security TO-DO List includes:
- Employee Security Training and awareness/best practices
- Security log centralization and aggregation
- Standardize Anti-Virus platform and reporting mechanisms
- Establishment of a security POC in each agency
- Assist agencies is performing regular security audits
- Disaster recovery planning and execution
- Participate in State/Federal cyber-emergency excercises and drills
- Continue/update training for security personnel
Additional Helpful Security Links
Cybercrime & Terrorism